如何使用不會阻止 Apache Ignite 啟動的 NetworkPolicy 將出口流量列入白名單?

tag-icon tag-icon networking kubernetes port policy-routing network-namespace
如何使用不會阻止 Apache Ignite 啟動的 NetworkPolicy 將出口流量列入白名單?

我有一些或多或少複雜的微服務架構,其中 Apache Ignite 用作無狀態資料庫/快取。 IgnitePod是唯一的Pod,該架構必須通過安全審核,如果我不對流量應用最嚴格的限制,Namespace它就不會通過。它必須限制 Ignite 本身不需要的所有可能的流量。NetworkPolicyegress

起初,我想:很好,Ignite 不會將任何流量推送到其他Pods(其中沒有其他 pod Namespace),因此可以輕鬆限制Ignite 是唯一的所有egress流量!NamespacePod

好吧,這實際上效果並不好:
任何egress規則,即使我允許流量到達 Ignite 文件中提到的所有端口,也會導致啟動失敗,並IgniteSpiException顯示一條訊息無法檢索 Ignite Pod IP 位址, Caused by: java.net.ConnectException: Operation timed out (Connection timed out).

問題似乎是TcpDiscoveryKubernetsIpFindergetRegisteredAddresses(...),特別是明顯在內部執行一些出口流量Namespace以註冊 Ignite 節點的 IP 位址的方法。發現連接埠 47500 當然是允許的,但這並不能改變情況。 Ignite 與Pod其他 s 中的其他 s 的功能在Namespace沒有應用規則的情況下工作egress,這意味著(對我來說)有關ClusterRoleClusterRoleBinding、 a 的Service配置Namespace以及 Ignite 本身的 xml 配置等似乎是正確的。即使ingress限制來自其他命名空間的流量的規則也能按預期工作,從而準確地允許所需的流量。

這些是我應用的政策:

[正在運行,僅阻止不需要的流量]

## Denies all Ingress traffic to all Pods in the Namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress-in-cache-ns
  namespace: cache-ns
spec:
  # selecting nothing here will deny all traffic between pods in the namespace
  podSelector:
    matchLabels: {}
  # traffic routes to be considered, here: incoming exclusively
  policyTypes:
    - Ingress

## Allows necessary ingress traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: netpol-cache-ns
  namespace: cache-ns
# defines the pod(s) that this policy is targeting
spec:
  policyTypes:
    - Ingress
  podSelector:
    matchLabels:
      app: ignite
  # <----incoming traffic----
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            zone: somewhere-else
        podSelector:
          matchExpressions:
            - key: app
              operator: In
              values: [some-pod, another-pod]  # dummy names, these Pods don't matter at all
      ports:
        - port: 11211   # JDBC
          protocol: TCP
        - port: 47100   # SPI communication
          protocol: TCP
        - port: 47500   # SPI discovery (CRITICAL, most likely...)
          protocol: TCP
        - port: 10800   # SQL
          protocol: TCP
# ----outgoing traffic---->
# NONE AT ALL

應用這兩個後,一切運作正常,但安全審核會說類似的內容
哪裡有限制egress?如果由於使用這些路由的 Pod 之一之前已被駭客攻擊,因此該節點透過允許的路由被駭客攻擊怎麼辦?那麼它可能會呼叫 C&C 伺服器!此配置將不會被允許,請強化您的架構!

[阻止所需/必要的流量]

通常拒絕所有流量...

## Denies all traffic to all Pods in the Namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-traffic-in-cache-ns
  namespace: cache-ns
spec:
  # selecting nothing here will deny all traffic between pods in the namespace
  podSelector:
    matchLabels: {}
  # traffic routes to be considered, here: incoming exclusively
  policyTypes:
    - Ingress
    - Egress   # <------ THIS IS THE DIFFERENCE TO THE WORKING ONE ABOVE

....並隨後允許特定路線

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: netpol-cache-ns-egress
  namespace: cache-ns
# defines the pod(s) that this policy is targeting
spec:
  policyTypes:
    - Egress
  podSelector:
    matchLabels:
      app: ignite
  ----outgoing traffic---->
  egress:
    # [NOT SUFFICIENT]
    # allow egress to this namespace at specific ports
    - to:
      - namespaceSelector:
          matchLabels:
            zone: cache-zone
      ports:
        - protocol: TCP
          port: 10800
        - protocol: TCP
          port: 47100   # SPI communication
        - protocol: TCP
          port: 47500
    # [NOT SUFFICIENT]
    # allow dns resolution in general (no namespace or pod restriction)
    - ports:
      - protocol: TCP
        port: 53
      - protocol: UDP
        port: 53
    # [NOT SUFFICIENT]
    # allow egress to the kube-system (label is present!)
    - to:
      - namespaceSelector:
          matchLabels:
            zone: kube-system
    # [NOT SUFFICIENT]
    # allow egress in this namespace and for the ignite pod
    - to:
      - namespaceSelector:
          matchLabels:
            zone: cache-zone
        podSelector:
          matchLabels:
            app: ignite
    # [NOT SUFFICIENT]
    # allow traffic to the IP address of the ignite pod
    - to:
      - ipBlock:
          cidr: 172.21.70.49/32  # won't work well since those addresses are dynamic
      ports:
        - port: 11211   # JDBC
          protocol: TCP
        - port: 47100   # SPI communication
          protocol: TCP
        - port: 47500   # SPI discovery (CRITICAL, most likely...)
          protocol: TCP
        - port: 49112   # JMX
          protocol: TCP
        - port: 10800   # SQL
          protocol: TCP
        - port: 8080    # REST
          protocol: TCP
        - port: 10900   # thin clients
          protocol: TCP

使用的Apache Ignite版本是2.10.0

現在向所有讀者提出的問題是:

如何將 Ignite 限制Egress在絕對最小值,Namespace以便 Ignite 啟動並正常運作?僅拒絕Egress集群外部就足夠了嗎?

如果您需要更多的yaml猜測或提示,請隨時在評論中提出要求。
如果標籤看起來不合適,我很抱歉,我找不到該標籤,kubernetes-networkpolicy因為它出現在 stackoverflow 上。

更新:

nslookup -debug kubernetes.default.svc.cluster.local從 ignite pod 內部執行,沒有任何策略限制egress顯示

BusyBox v1.29.3 (2019-01-24 07:45:07 UTC) multi-call binary.

Usage: nslookup HOST [DNS_SERVER]

Query DNS about HOST

一旦NetworkPolicy套用了限制Egress特定連接埠、pod 和命名空間的(任何),Ignite pod 就會拒絕啟動,並且尋找不再到達kubernetes.default.svc.cluster.local

Egress允許到 DNS(UDP 53 到 k8s-app:kube-dns)⇒ 仍然無法進行 ip 查找

相關內容